NAME

SYNOPSIS

DESCRIPTION

This subcommand interacts with a local or remote Puppet certificate
authority. Currently, its behavior is not a full superset of puppet
cert; specifically, it is unable to mimic puppet cert's "clean" option,
and its "generate" action submits a CSR rather than creating a
signed certificate.

OPTIONS

Note that any setting that's valid in the configuration
file is also a valid long argument, although it may or may not be
relevant to the present action. For example, server and run_mode are valid
settings, so you can specify --server <servername>, or
--run_mode <runmode> as an argument.

The format in which to render output. The most common formats are json,
s (string), yaml, and console, but other options such as dot are
sometimes available.

--verbose

Whether to log verbosely.

--debug

Whether to log debug information.

--ca-location LOCATION

Whether to act on the local certificate authority or one provided by a
remote puppet master. Allowed values are 'local' and 'remote.'

This option is required.

--extra HASH

A terminus can take additional arguments to refine the operation, which
are passed as an arbitrary hash to the back-end. Anything passed as
the extra value is just send direct to the back-end.

--terminus _TERMINUS

Indirector faces expose indirected subsystems of Puppet. These
subsystems are each able to retrieve and alter a specific type of data
(with the familiar actions of find, search, save, and destroy)
from an arbitrary number of pluggable backends. In Puppet parlance,
these backends are called terminuses.

Almost all indirected subsystems have a rest terminus that interacts
with the puppet master's data. Most of them have additional terminuses
for various local data models, which are in turn used by the indirected
subsystem on the puppet master whenever it receives a remote request.

The terminus for an action is often determined by context, but
occasionally needs to be set explicitly. See the "Notes" section of this
face's manpage for more details.

OPTIONS--dns-alt-names NAMES -
A comma-separated list of alternate DNS names for Puppet Server. These are extra
hostnames (in addition to its certname) that the server is allowed to use when
serving agents. Puppet checks this setting when automatically requesting a
certificate for Puppet agent or Puppet Server, and when manually generating a
certificate with puppet cert generate.

In order to handle agent requests at a given hostname (like
"puppet.example.com"), Puppet Server needs a certificate that proves it's
allowed to use that name; if a server shows a certificate that doesn't include
its hostname, Puppet agents will refuse to trust it. If you use a single
hostname for Puppet traffic but load-balance it to multiple Puppet Servers, each
of those servers needs to include the official hostname in its list of extra
names.

Note: The list of alternate names is locked in when the server's
certificate is signed. If you need to change the list later, you can't just
change this setting; you also need to:

On the server: Stop Puppet Server.

On the CA server: Revoke and clean the server's old certificate. (puppet cert clean <NAME>)

On the server: Delete the old certificate (and any old certificate signing requests)
from the ssldir.

On the server: Run puppet agent -t --ca_server <CA HOSTNAME> to request a new certificate

On the server: Run puppet agent -t --ca_server <CA HOSTNAME> to retrieve the cert.

On the server: Start Puppet Server again.

To see all the alternate names your servers are using, log into your CA server
and run puppet cert list -a, then check the output for (alt names: ...).
Most agent nodes should NOT have alternate names; the only certs that should
have them are Puppet Server nodes that you want other agents to trust.

An array of #inspect output from CSR objects. This output is
currently messy, but does contain the names of nodes requesting
certificates. This action returns #inspect strings even when used
from the Ruby API.